Re: suggestions please "what should i watch for/guard against' in a file upload situation?"

Thu, 07 Oct 2010 00:40:11 -0700 

On 06/10/2010 21:01, Martin Gregorie wrote:

On Wed, 06 Oct 2010 09:02:21 -0700, geekbuntu wrote:


in general, what are things i would want to 'watch for/guard against' in
a file upload situation?

i have my file upload working (in the self-made framework @ work without
any concession for multipart form uploads), but was told to make sure
it's cleansed and cannot do any harm inside the system.


Off the top of my head, and assuming that you get passed the exact
filename that the user entered:

- The user may need to use an absolute pathname to upload a file
   that isn't in his current directory, so retain only the basename
   by discarding the rightmost slash and everything to the left of it:
     /home/auser/photos/my_photo.jpg   ===>  my_photo.jpg
     c:\My Photos\My Photo.jpg         ===>  My Photo.jpg

- If your target system doesn't like spaces in names or you want to be
   on the safe side there, replace spaces in the name with underscores:
     My Photo.jpg     ===>     My_Photo.jpg

- reject any filenames that could cause the receiving system to do
   dangerous things, e.g. .EXE or .SCR if the upload target is Windows.
   This list will be different for each upload target, so make it
   configurable.

   You can't assume anything about else about the extension.
   .py .c .txt and .html are all valid in the operating systems I use
   and so are their capitalised equivalents.


A whitelist is better than a blacklist; instead of rejecting what you
know could be dangerous, accept what you know _isn't_ dangerous.


- check whether the file already exists. You need
   rules about what to do if it exists (do you reject the upload,
   silently overwrite, or alter the name, e.g. by adding a numeric
   suffix to make the name unique:

      my_photo.jpg  ===>   my_photo-01.jpg

- run the application in your upload target directory and put the
   uploaded file there or, better, into a configured uploads directory
   by prepending it to the file name:

     my_photo.jpg   ===>   /home/upload_user/uploads/my_photo.jpg

- make sure you document the process so that a user can work out
   what has happened to his file and why if you have to reject it
   or alter its name.


not sure but any suggestions or examples are most welcome :)


There's probably something I've forgotten, but that list should get you
going.


Maximum file size, perhaps?
--
http://mail.python.org/mailman/listinfo/python-list

Reply via email to